LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14973 Commits
1 Branch
46 MiB
Tree: 52453b921b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '52453b921b'
${ noResults }
openwrt-packages-dist/net/banip/files/banip.init

88 lines
1.7 KiB
Raw Normal View History

banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: update 0.0.6 * support multiple WAN interfaces in iptables rules, set 'ban_iface' option accordingly (as space separated list) or use the LuCI frontend * add new "refresh" mode while triggered by fw changes (no download) * add required ip dependency * fix wrong 'settype' definition for firehol1 in config Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banIP: release 0.1.0 * add automatic blocklist backup & restore, they will be used in case of download errors or during startup in backup mode * add a 'backup mode' to re-use blocklist backups during startup, get fresh lists via reload or restart action * procd interface trigger now supports multiple WAN interfaces * change URL for abuse.ch/feodo list source in default config * small fixes * update readme Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banIP: release 0.1.0 * add automatic blocklist backup & restore, they will be used in case of download errors or during startup in backup mode * add a 'backup mode' to re-use blocklist backups during startup, get fresh lists via reload or restart action * procd interface trigger now supports multiple WAN interfaces * change URL for abuse.ch/feodo list source in default config * small fixes * update readme Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banIP: release 0.1.0 * add automatic blocklist backup & restore, they will be used in case of download errors or during startup in backup mode * add a 'backup mode' to re-use blocklist backups during startup, get fresh lists via reload or restart action * procd interface trigger now supports multiple WAN interfaces * change URL for abuse.ch/feodo list source in default config * small fixes * update readme Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: update 0.0.6 * support multiple WAN interfaces in iptables rules, set 'ban_iface' option accordingly (as space separated list) or use the LuCI frontend * add new "refresh" mode while triggered by fw changes (no download) * add required ip dependency * fix wrong 'settype' definition for firehol1 in config Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banIP: release 0.1.0 * add automatic blocklist backup & restore, they will be used in case of download errors or during startup in backup mode * add a 'backup mode' to re-use blocklist backups during startup, get fresh lists via reload or restart action * procd interface trigger now supports multiple WAN interfaces * change URL for abuse.ch/feodo list source in default config * small fixes * update readme Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: update 0.0.6 * support multiple WAN interfaces in iptables rules, set 'ban_iface' option accordingly (as space separated list) or use the LuCI frontend * add new "refresh" mode while triggered by fw changes (no download) * add required ip dependency * fix wrong 'settype' definition for firehol1 in config Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banIP: release 0.1.0 * add automatic blocklist backup & restore, they will be used in case of download errors or during startup in backup mode * add a 'backup mode' to re-use blocklist backups during startup, get fresh lists via reload or restart action * procd interface trigger now supports multiple WAN interfaces * change URL for abuse.ch/feodo list source in default config * small fixes * update readme Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banIP: release 0.1.0 * add automatic blocklist backup & restore, they will be used in case of download errors or during startup in backup mode * add a 'backup mode' to re-use blocklist backups during startup, get fresh lists via reload or restart action * procd interface trigger now supports multiple WAN interfaces * change URL for abuse.ch/feodo list source in default config * small fixes * update readme Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
 
  1. #!/bin/sh /etc/rc.common
  2. #
  3. 

  4. START=30
  5. USE_PROCD=1
  6. 

  7. EXTRA_COMMANDS="refresh status"
  8. EXTRA_HELP="	refresh	Refresh ipsets only (no new download!)
  9. 	status	Print runtime information"
  10. 

  11. ban_init="/etc/init.d/banip"
  12. ban_script="/usr/bin/banip.sh"
  13. ban_pidfile="/var/run/banip.pid"
  14. 

  15. boot()
  16. {
  17. 	ban_boot="1"
  18. 	rc_procd start_service
  19. }
  20. 

  21. start_service()
  22. {
  23. 	if [ $("${ban_init}" enabled; printf "%u" ${?}) -eq 0 ]
  24. 	then
  25. 		if [ "${ban_boot}" = "1" ]
  26. 		then
  27. 			return 0
  28. 		fi
  29. 		local nice="$(uci_get banip extra ban_nice)"
  30. 		procd_open_instance "banip"
  31. 		procd_set_param command "${ban_script}" "${@}"
  32. 		procd_set_param pidfile "${ban_pidfile}"
  33. 		procd_set_param nice ${nice:-0}
  34. 		procd_set_param stdout 1
  35. 		procd_set_param stderr 1
  36. 		procd_close_instance
  37. 	fi
  38. }
  39. 

  40. refresh()
  41. {
  42. 	rc_procd start_service refresh
  43. }
  44. 

  45. reload_service()
  46. {
  47. 	rc_procd start_service reload
  48. }
  49. 

  50. stop_service()
  51. {
  52. 	rc_procd "${ban_script}" stop
  53. 	rc_procd start_service
  54. }
  55. 

  56. status()
  57. {
  58. 	local key keylist value rtfile="$(uci_get banip global ban_rtfile)"
  59. 

  60. 	rtfile="${rtfile:-"/tmp/ban_runtime.json"}"
  61. 	json_load_file "${rtfile}" >/dev/null 2>&1
  62. 	json_select data >/dev/null 2>&1
  63. 	if [ ${?} -eq 0 ]
  64. 	then
  65. 		printf "%s\n" "::: banIP runtime information"
  66. 		json_get_keys keylist
  67. 		for key in ${keylist}
  68. 		do
  69. 			json_get_var value "${key}"
  70. 			printf "  + %-10s : %s\n" "${key}" "${value}"
  71. 		done
  72. 	else
  73. 		printf "%s\n" "::: no banIP runtime information available"
  74. 	fi
  75. }
  76. 

  77. service_triggers()
  78. {
  79. 	local ban_iface="$(uci_get banip global ban_iface)"
  80. 	local delay="$(uci_get banip extra ban_triggerdelay)"
  81. 

  82. 	PROCD_RELOAD_DELAY=$((${delay:-2} * 1000))
  83. 	for iface in ${ban_iface:-"wan"}
  84. 	do
  85. 		procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" start
  86. 	done
  87. 	procd_add_reload_trigger "banip" "firewall"
  88. }